# 返回防注入关键字
getPreventInjectParams = (x) ->
  result = []
  if typeof(x) is "object"
    for k, v of x
      result.push v
  return result

# 防注入关键字中间件
module.exports = (req, res, next) ->
  input_params = ""
  for x in ["params", "query", "body"]
    if req[x]
      input_params += (JSON.stringify(y) for y in getPreventInjectParams(req[x])).join("~")

  if input_params.match(/(select|update|insert|alter|drop|delete|create|show|truncate|exec|when|else|case|length|substr|{|}|\$ne|\$gte|\$gt|\$lt|\$lte|\$in|\$nin|\$exists|\$where|tojson|==|db\.|var|if|sleep|return|;)[^a-zA-Z0-9~_]/i)
    console.error "SQL注入:#{req.path}:#{input_params}"
    res.status(500).send {error: "不合法的参数！"}
    return false
  return next()